Californian Sentenced to Prison for HIPAA Violation

[Editor’s note, August 9, 2010: Huping Zhou was the first person in the nation to receive jail time for a misdemeanor HIPAA offense—for accessing confidential records without a valid reason or authorization but not profiting from it through the sale or use of the information.]

A former UCLA Health System employee became the first person in the nation to be sentenced to federal prison for violating HIPAA.

Huping Zhou, 47, of Los Angeles, was sentenced to four months in prison on April 27 after pleading guilty in January to four misdemeanor counts of accessing and reading the confidential medical records of his supervisors and high-profile celebrities, according to the U.S. Attorney’s Office for the Central District of California. Zhou was also fined $2,000.

In 2003, Zhou, who was a licensed cardiothoracic surgeon in China before immigrating to the US, was employed as a researcher with the UCLA School of Medicine.

On October 29, 2003, Zhou received notice that UCLA intended to dismiss him for job performance reasons unrelated to the illegal access of medical records. That night, Zhou accessed and read his immediate supervisor’s medical records as well as those of other coworkers.

Over the next three weeks, Zhou abused his access to the organization’s electronic health record system to view the medical records of celebrities and high-profile patients, including Drew Barrymore, Arnold Schwarzenegger, Tom Hanks, and Leonardo DiCaprio.

According to court documents, Zhou accessed the UCLA record system 323 times during the three-week period. In the plea agreement, Zhou admitted he obtained and read patient health information on four specific occasions — with no legitimate reason, medical or otherwise — after he was terminated from his job.

Zhou did not improperly use or attempt to sell any of the information he illegally accessed, according to the press release. In January Zhou’s attorney Edward Robinson was quoted in the UCLA student newspaper The Daily Bruin saying Zhou did not know that accessing the records was a federal crime.

111 Comments

Elise Tatosian

May 6, 2010

As a consultant in the Healthcare Industry, I find it difficult to believe that Dr. Zhou was not aware that viewing EHR’s is a crime.

I like your answer on that, because he knew what he was doing, cause in the medical field there are a lot of doctors that do some under the table stuff and down the line they get caught, so he have to pay the consequence for his action.

I agree,that is so true so many doctors do things because they think they can get away with it and think just because they have a title behind their name they can do whatever they want to do but they did the right thing they made and example out of him, make the next doctor or doctor’s who think they can get away with trying to do something of the sort think twice about committing a crime such as that.

Leahlinn Faubion

September 19, 2017

In his case, he was a cardiothoracic surgeon in China not the USA, in the USA he was just a researcher in the UCLA school of medicine.Not a surgeon in the USA. He was in Violation of HIPPA.

i believe that zhou was curious and read the documents of those celebrities without doing any harm.
he did not sell or advertise the records.
i feel a suspension would have been more than a fair punishment.

And if it were your file he had illegally accessed, maybe you could have given that opinion to the judge, hippa has rules and punishments for a reason, any and everyone working in the healthcare industry, researcher or not, knows about hippa laws, and the penalties that come with breaking the rules, so no a suspension would not have been a fair punishment, cause the next shady disgruntled worker will scream for the same penalty.

I do not agree with the punishment because of the fact he thought he was going to get a way with it and i do think he did it on purpose to see what can and how long he can do this without getting cought i mean he could have did worse with the these people information like bank fraud,etc.You ask me i think the judge was to soft on him.

he admitted doing it and being in medical he knew it was wrong morally and unethical why did he go in and look at it so many times, whos to say he was not going to use it wrongfully, maliciously against the persons of whom the records he was looking at

I feel as though I ‘m on the fence with the imprisonment. one- being that I am also in the healthcare field and naturally feel some form of compassion. Two although he was totally in violation of the HIPPA law, at the time he was a researcher, and not to attach any humor to this situation. Isn’t that what he did. Finally, we have case laws, and the only reason for that is exactly because of unlawful acts such as these.

I agree. But there is no legal mandate that this journal must protect that information or respect the privacy of the individuals listed because the journal is not the one providing the direct HEALTH services to them.

Lets not just view “Health Services” as only clinical services provided by a health institution. Health services is any services that promotes an individuals total well being not limited to only the elimination of disease or injury.
I strongly believe that, listing these personalities here on this website will not be healthy to their social wellbeing or sanity. Zhou may not have used their information anything else but that may lead to these people feeling paranoid or other celebrities reluctance to trust their healthcare providers with their information.

Elise, the article did not say that Dr. Zhou was unaware that viewing EHR’s was a crime. It says that his lawyer said that Dr. Zhou was unaware that it was a FEDERAL crime. There’s a big difference. Get your facts strait.

The article does not state which month Dr. Zhou immigrated to the U.S., but it appears, from the way this article is written, that he was here less than a year. It is entirely possible that he did NOT know about HIPPA, even though most of us would find that truly amazing. Nonetheless, ignorance of the law does not save you from it.

I agree with Katy – shame on the Journal for stating the names of celebs whose records he viewed.

Alisa, Elise did not SAY that Dr. Zhou SAID he was not aware this was a crime, she said she could not believe he did not know. His lawyer said he was unaware. I too find it hard to believe it was aware. Get YOUR facts “strait” (I believe that’s “straight”)

I would hope that anyone hired to work with medical records would be aware of the guidelines for viewing confidential reports and the penalties for breaching confidentiality. I’m very concerned that these kinds of things can get out of control when in the wrong hands. This man obviously got caught but what about those who don’t get caught. Reports are going overseas and who knows what is happening with them. Hopefully we can trust the people we hire but that is not always the case especially when jobs are in jeopardy. He should have never been allowed to stay beyond his day of termination just for a reason like this one. Most companies with sensitive information walk their employees out the door when terminated for fear they will do something just like this.

Because that Dr. had NO REASON to read private, HIPPA protected information. Just because you have “MD” beside your name does not give you the right to access private, privileged information. Privacy, does no one respect that anymore? He is unethical and he is lucky if he is still able to practice.

By the way, I have a license to conceal and carry, does that give me the right to shoot someone just because??? There are laws in the country, and people need to obey them.

It is always a breach of HIPAA when an individual seeks access to protected health information for purposes other than treatment, payment or healthcare operations. I have worked in HIM for years and even before HIPAA, I have denied a physician access to a patient’s health record for personal reasons.

I work at a medical clinic and my HIPAA was violated. I put a restriction on one of the employees whom worked in the Health Information deparment. This employee was allowed to copies multiple EHR records of mine to put in my medical chart. There were no violations according to the manager because she (the manager) authorized this employees to copy my EHR records. There are 4 other employees in her department includin herself, who could have worked in my chart. This to me was clearly a violation. Does a manager have the authority to bend HIPAA regulations?

This may be a violation of HIPPAA, but it is clearly an example of very bad IT management that is rampant in our business environments. This person should not have continued to have log-on access passed the day he was let go!
How many times & other ways are our personal information gathered by disgruntled, DISMISSED employees who do not have their log-on priveledges blocked?

My thoughts exactly! His access should have been terminated immediately. I am also wondering why a researcher had access to what sounds like the entire database of patient records. It sounds as though they also need to tighten up the levels of security for different groups. The UCLA health system should be fined for enabling the violations.

While we as HIM professionals would like to think everyone in the health care setting knows and understands HIPAA, it isn’t always the case. At 2 of my 3 jobs, I received, read, and signed a confidentiality form that briefly explain HIPAA and then also received a longer document about it to keep. At the third job, no such information about HIPAA was provided.

Also, it is often times hard to keep medical staff up on recent changes in HIPAA. The HITECH Act containing the consequences of HIPAA breach is less than a year old and might not have been provided to the medical staff at this facility.

I’m not trying to make excuses for this person, because what they did is obviously wrong (not only according to HIPAA, but also according to general human ethics). I think that by going public with this, it will serve as a good example for those in the health care industry. Hopefully this incident will educate health care professionals throughout the country and encourage them to review what HIPAA is really about.

While that is true, It doesnt negate the fact that these people are patients too, and if your name was up there, you might feel differently. It may not be a HIPPA violation, but it very well might be an ethical issue.

I agree with Janet. It should be a violation to list the celebs names (unless The Journal had express consent). And viewing records the way this guy did is definitely a HIPAA violation. Even though he came from China, UCLA should have briefed him on HIPAA laws.

People in the health care industry have access to medical records and can look [be nosy] for no apparent or medically based reason at any time when they have access. Some people who have access are medical assistants and office personnel and don’t always have the best education or morals. They should be prosecuted, fined or sanctioned. It’s intrusive, illegal and clearly against HIPAA. If they are unaware, then they have not been trained BUT that is unlikely in the world we live in with all the laws that are in force for HIPAA. Do you want someone in your records just because they are nosy?

Amazing, the guy should be deported back his original country, the names of those celebs surprized even me a student, I was wonder who they were,but wow they should sue the writer of this article for disclosure of personal info still. I dont feel bad for the nozy doctor, but I instantly feel or the celebrities who did nothing wrong but get help for what ever the conditions were… three months is not long enough. should have been a three months for each record. This goes to show security needs to be improved on in a major way. and we are releaseing PHR’s now what a mess this will be in a few years…with students not knowing really what they are getting into in the HIT Field…

As a clarification, Huping Zhou was the first person in the nation to be convicted and incarcerated for misdemeanor HIPAA offenses for merely accessing confidential records without a valid reason or proper authorization. He did not release the information to others or use it for personal gain, but still received jail time – a first for HIPAA violation cases, according to the Central District of California’s United States Attorney’s Office. There have been other HIPAA violation cases before Zhou’s conviction in which people were sent to jail, but they all involved using the information for personal gain or further disclosing the sensitive info. Zhou was the first to be sent to jail just for improperly looking at confidential information.

I read multiple times here about how the author of the article violated HIPPA. This is not a violation since the author does not have access to the records. HIPPA strictly deals only in this matter. The author only has access to court information in which the names of these celebrities became public. It is tacky to name them, but not illegal. It is easy to quickly jump on the blame wagon without getting the facts straight.

I could be COMPLETELY WRONG..and confusing cases here..but it seems to me, that the patients (celebrities) in question, may have testified in this case. although again, I may be completely confusing this case with another one, in which case, their names, would have been made public at that time. Just a thought..

I don’t think folks who are commenting on the story are reading the article thoroughly. Although it says that Dr. Zhou was a cardiothoracic surgeon in China, it says he was hired in the US as a researcher, not an MD. Therefore, in that role, he does not automatically get access to records except as they relate to his research. I think I can be safe in saying that I highly doubt that his supervisor’s records related to his research and is, therefore, more proof that he was looking at records he had no business looking at.

Even though this MD clearly violated HIPAA, this story really should be about how easy it is for people to access medical records when they clearly have no need for them. HIPAA is supposed to be more strict on the security of Patient records, so why wasn’t this addressed? Yes, the MD was responsible for his part, what about the part of the HIT department who didn’t have stricter regulations on access to patient files?

What do you think about students using the 3M system to code medical records. I remember I ran across a close family members information and to this day I have to look at this person and know what they did without her husband knowing. This could happen to anyone – even a student.

No, it is because the journal is not a Covered Entity and is no way bound by the Privacy Rule. Just like in a personal injury lawsuit, if a patient provides his medical records to an attorney, that attorney is not bound by the Privacy Rule.

I agree with Randy above, UCLA is due some blame as they allowed him to still have access to the clinical systems once they had notified him of his dismissal, shame on them. An angry worker who feels they have nothing more to loss should not be allowed access to PHI once termination or suspension has been decided.

If all the information in the article is accurate, the UCLA Health System is also guilty of not following HIPAA by 1) not training its employees about the requirements of HIPAA, and 2) not removing access to health information from someone who was terminated and/or not having procedures in place to do this.

HIPAA violation. Read the policy and procedures. Training is necessary. Also, should not use celebritie names?? Someone who isn’t really paying attention to this article will have it all over the hospital that Will Smith’s son was here???

Great comments! However the part that’s still resonating with me is “— with no legitimate reason, medical or otherwise — after he was terminated from his job.” How did he get access after he was involuntarily terminated? Where is UCLA Compliance (for the training – I agree with others comments) but more importantly IT Security! AND naming the “celebrities” is also a HIPAA violation. Considering he admitted to 323 records at a maximum potential fine of $50K each, he got off easy with four months and $2K fine. So did UCLA as the exposure to them is $150K/patient!

1) To the person who wrote “Since when is it a breach of HIPAA to read medical records when you are an MD?” I hope to God you are not a MD or even in the HIM field because if you don’t know the answer to your own question, then you go back to school. By the way it is HIPAA, not HIPPA.

2) So many comments have horrible misspellings and fragmented sentences that I couldn’t even understand what been said.

3) I agree with Bob’s comment completely. How is it that a person is fired and still able to access 323 medical records? Where I work if you’re fired,you are given boxes to put your stuff in and walked out the door. We even have a door code that is changed that day and your privileges are removed from the system immediately. The gentleman in this story should have received a fine for each record accessed, as well as UCLA for their negligence in security matters. I am curious to know if the judge even addressed UCLA for their negligence in court. If not, shame on him or her. I am also curious to know if UCLA notified each and every of the 323 individuals that there had been a security breach; which I’m sure you all know is part of the HITECH Act.

4) The names mentioned in the article were purely for shock value I’m sure, but the trial IS a matter of public record and the author has done nothing illegal by reporting peoples names in this story.

As a current medical coding student I agree with numerous posts stating this person did not have reason to view patients’ personal health information for treatment or payment. Two of the HIPAA regulations concerning viewing a patient’s personal health record.

For those inquiring why he still had access to patient records for three weeks, the article states that UCLA intended to dismiss him and there was never a mention of WHEN he was dismissed so I’m assuming he wasn’t dismissed until much later.

We are studying HIPAA in my phlebotomy class right now and my homework was to find this article. As a student I know that looking at the the medical record of any patient including yourself, is a HIPAA violation, unless you are directly providing care for that patient at the time that you look at the record.

I too am currently a Medical Billing/Coding student. Anyone in the medical field should know that accessing a patients PHI when it is not necessary is a federal offense and can be punishable by stiff fines and/or imprisonment. Anyone in the medical field who doesn’t know this either wasn’t taught, didn’t not pay attention when they were in school, or simply doesn’t care and thinks that the HIPAA laws don’t apply to them. Rediculous.

To Hendrix: Although it is difficult as a student to know all of the nuances of HIM and HIPAA, it is your responsibility to recuse yourself if assigned a family member’s record. You should not be reviewing or coding the record of a family member.

A farmers Insurance Attorney went to my Doctor lie and said that agree to release my medical record I never even talk to the guy,the he even said the court order it with out any court order, my doctor gave them to him, and now he blames my doctor, well both are wrong come find out he paid my doctor

he should have known better. He was a licensed cardiothoracic sugeoon, he should know that. And not only that, they teach him things like that is school. I know, i am currently in school fora medical assistant. I know that.

As a RHIT student about to graduate, I had to sign a non-discloure form at my Practicum sight. As a former employee way back when at LAC-USC in East Los Angeles (LA County Hospital) we knew if we even talked about a patient’s file between co-workers it was grounds for immediate termination and we were unionized. So I find it hard to believe he did not know…but even with ignorance comes common sense of knowing right from wrong. These other innocent people had nothing to do with his termination.

This is the correct spelling of HIPAA, not HIPPA. But also just want to say that for any record that you have accessed, you can be questioned later. Will you remember the business need for it?….if you don’t, you could be prosecuted too and they can make a case that you were being nosy. Remember this is Federal violation which could you land you in Federal prison…. don’t ya love our government. For every federal rule, violation is now a federal crime… it seems it’s U.S. GOVT vs. U.S. CITIZEN anymore. So you better document why you accessed each and every record you access.

I think that everyone stating ” this article violates HIPAA because it states the celebrities names should go over all aspects of the HIPAA law. I’m not sure how it violates it if the writer of this article did not read these celebrities PHRs and the writer also did not disclose any information that would be obtained from the records other than who the records belonged to. Lol.

This is not the reason at all. The journal writer is not a covered entity and is not bound by the Privacy Rule. If he had the entire medical record of one of those individuals and published it he would not be in violation of the Privacy Rule. There might be civil claims, but not related to HIPAA. Only the Covered Entity is governed by HIPAA. Get a copy of your medical record and give it to your neighbor. That neighbor isn’t bound by HIPAA.

I feel that the punishment he received was just a slap in the face, his punishment was not firm enough. In my opinion, he should not be able to any clinic or hospital’s with out being supervised by a M.A. or M.O.S.. and if he ever get sick for some unknown reason do not leave him alone in a room with a computer, he can stand some watching around any bodies computer at any place of business.

I FEEL LIKE HE SHOULD OF GOT MORE TIME BECAUSE NO MATTER WHERE YOUR FROM IN THE WORLD THERE ARE RULES SO IF HE DIDN’T KNOW HE SHOULD OF LEARN A LITTLE MORE BEFORE TAKING THAT STEP …..THERE ARE RULE IN CHINA SO WHAT MADE HIM THINK THAT WAS OK …HE MADE POOR STEP

i think he should have gotten more time because working in healthcare i find it hard to believe that he did not know it was a crime and he shouldn’t have been in somebody else. files who is not a patience of his

Mr. Zhou new exactly what he was doing. He violated the HIPPA law. He should have not read the Doctor notes unless he was told too. All he got was four months. He should be grateful that’s all he received.

I dont know if he knew it was a crime or not, but knowingly using his access to look it to someone else’s personal record is a violation of that persons privacy and intrudes apon doctor / patient relationship . Four months is light for the level of damage he could have caused.
If anybody could just hop on the internet an look up your information imagine if that was your records and your privacy was violated, what do you think about the laws now!

“A major goal of the Privacy Rule is to assure that individuals’ health information is properly secured while allowing the flow of health information needed to provide and promote high quality health care and to protect the public’s health and well being.”–Summary of the HIPAA Privacy Rule. In my opinion I feel like his punishment was well thought-out. We should find a better way to keep patients’ medical records more confidential.

The HIPPA Laws can be violated by texting, social media and mishandling of patients records. Illegal access of patient record is also a breach that could arise from social situation.HIPPA violations can be avoided with precautions and adequate training.